Cracking 14 Character Complex Passwords in 5 Seconds

There has been a lot of talk recently in the security community about high speed GPU (video card) processors being able to crack passwords very quickly.

But there is a technology that can crack them even faster. A Swiss security company called Objectif Sécurité has created a cracking technology that uses rainbow tables on SSD drives.

Apparently it is the hard drive access time and not the processor speed that slows down cracking speed. So using SSD drives can make cracking faster, but just how fast?

One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds. So, how long would a long complex password hold up to the SSD based cracking technology?

Sounds like we need to put this to the test. Most hackers will crack passwords by decoding the password hash dumps from a compromised computer. So, I pulled several 14 character complex passwords hashes from a compromised Windows XP SP3 test machine, to see how they would stand up to Objectif’s free online XP hash cracker. The results were stunning.

Let’s start out with an easy one. Here is the Administrator password hash from the machine:

Hash: 747747dc6e245f78d18aebeb7cabe1d6:43c6cc2170b7a4ef851a622ff15c6055Password: T&p/E$v-O6,1@}Time: Okay, this one really pushed it to the limits, it took a whole 11 seconds to crack!(* Ran it through a second time later on and it got it in 3 seconds!)

Very impressive, it took only five to eleven seconds in this test to crack 14 character complex passwords. I was able to create a password that Objectif’s site couldn’t decode; it was using characters from the extended ASII set. But, unfortunately, I could not log into the XP system using it either. 🙂

Want to see how a password would do without having to exploit a system and dump the password hashes? Objectif allows you to put a password in and it will convert it for you. Then you can place the hash into the cracker and see how it does.

Granted, these are Windows LM Hashes and not the more secure Windows 7/ Server 2008 NTLM based hashes. But, I believe that with cracking speeds increasing, relying on passwords alone may no longer be a good security measure. Many companies and government facilities are moving away from using just passwords to dual authentication methods. Biometrics and smartcards are really becoming popular in secure facilities.

You realize that LM hashes are 7 characters max right? So your 14 character password is really just two 7 character passwords. That’s why it’s so fast. The title of your article is horrifically misleading.

What is misleading is that it is not a true 14 character password. It is two 7 character passwords which are hashed separately. Yes it may not seem different but if there is a 96 character set (upper + lower case letters + numbers + common symbols) – 7 characters is around 75 trillion possible combinations. 2 * 75 is around 150 trillion possible combination, but a 14 character password with 96 characters is around 5 octillion combinations. 75 trillion * 2 or 75 trillion ^ 2. See the difference? This would not be as fast with a real 14 character password. NTLM has been broken for a long time.

Thank you for the input. True, NTLM hashes are stored in two seperate 7 character lots. But users feel safer when they are told endlessly to use longer, complex passwords.

What this post shows is that from a common, every day Windows XP machine (that has LM hashing enabled by default), it doesn’t matter if you enter a 4 character password, 7 character or 14. Or how complex it is. Technology exists that can crack it in about 5 seconds.

The speed of the SSD based cracker is much faster than anything else out there.

Those Swiss are getting sloppy: after producing secure encryption devices that add the encryption key at the end of the message now they try to make money out of exploiting the NTLM password hash flow introduced by the idiot who designed it.

It is very cool to see an implementation using SSD drives. I keep an 80GB, SATA disk laying around filled with rainbow tables and it can take up to about 10 minutes max (through a USB connection to the drive) to find/compare the correct LM hashes.

As others have said, LM supports 14 character password max and splits that into two 7 character passwords. So each 7 character half is hashed separately. The method used here is a simple hash comparison. If you have two passwords exactly the same, hashed via LM, the hash will be the same. Now, if you have two NTLM passwords, the same, the hash will be different as there is “salt” or variance added to the algorithm.

This prevents the simple hash comparison via rainbow tables that can be accomplished for LM hashes.

True, Linux has been using Satled passwords forever. But because Windows is concerned about backward compatability, LM hashes are still around.

I saw a report that mentioned that Sharepoint still uses LM hashes too.

The raw speed of the SSD drive is what just amazes me. As you said the online cracker is basically doing lookups on two seperate 7 character passwords, so in effect it is cracking two 7 character passwords in about 5 seconds.

Yeah you are very right on LM hashes still being around and widely used. On actual computer forensics cases or during the course of pen-testing that I perform many people are still using XP with passwords under 14 characters with the default LM hash.

As far as I’m concerned, anything that speeds up the process is good news to me :]

I had not seen this free service by Objectif either. Pretty nice. I think it is inspiring me to dedicate an SSD just for this purpose.

I just wanted to thank everyone for sharing this article and passing it along. Since it was released last week this article very surprisingly has been read over 10,000 times and I have read excerpts of it in 4 different languages!

I want to thank too all those who have chipped in comments on this article on this site and other sites linking to it. You have provided some great information for users on password storage techniques and safety tips!

Thank You!

Oh, and by the way, a recent report stated that 74% of business computers are still using Windows XP. Please turn off LM Hashing! 🙂

I have used some pretty crazy passwords and it has gotten them. Is it using characters from the extended ASII set? I don’t think it will get some of them, but I have also had trouble trying to log into windows XP using them also.

No extended characters from the ASII that I’m aware of. I know the password length is 11 places. Have you tried any passwords in your tests that include spaces? I’m not clear if the password hash above does either way. Any suggestions on any sites that run the extended chair sets for free?